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- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 



Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- tf the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- tf NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
• Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 

earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1)K Responsive to communication(s) filed on 12/20/99 . 
2a)D This action is FINAL. 2b)E3 This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quay/e, 1935 CD. 1 1 , 453 O.G. 213. 
Disposition of Claims 

4) K Claim(s) 1-1 7 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) K Claim(s) 1-17 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 

11) D The proposed drawing correction filed on is: a)D approved b)D disapproved by the Examiner. 

If approved, corrected drawings are required in reply to this Office action. 

12) D The oath or declaration is objected to by the Examiner. 
Priority under 35 U.S.C. §§119 and 120 

1 3) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 1 9(a)-(d) or (f). 

a)DAII b)D Some*c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 

14) Q Acknowledgment is made of a claim for domestic priority under 35 U.S.C. § 1 19(e) (to a provisional application). 

a) □ The translation of the foreign language provisional application has been received. 

15) D Acknowledgment is made of a claim for domestic priority under 35 U.S.C. §§ 120 and/or 121. 

Attach ment(s) 

1 ) |3 Notice of References Cited (PTO-892) 4) □ Interview Summary (PTO-41 3) Paper No(s). . 

2) O Notice of Draftsperson's Patent Drawing Review (PTO-948) 5) CD Notice of Informal Patent Application (PTO-152) 

3) CI Information Disclosure Statement(s) (PTO-1449) Paper No(s) . 6) O Other: 



U.S. Patera and Trademark Office 
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DETAILED ACTION 



1. 



Claims 1-17 are pending. 



Claim Rejections - 35 USC § 103 



2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

3. Claims 1, 5, 12, 13, 15 and 16 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Thomlinson et al US Patent No. 6,389,535 in view of Shi et al US 
Patent No. 5,875,296. Thomlinson teaches a system for cryptographic protection of 
core data secrets. 

4. With regards to claims 1,12, and 15, Thomlinson discloses a first key known as a 
master key (column 9, lines 20-29) that is used to encrypt a second key known as an 
item key (column 9 lines 20-29). When the user wishes to access data, the first key 
(Thompson's master key) is used to decrypt the second key (column 10, lines 11-16) in 
order to access the data. Thomlinson teaches the use of asymmetric public key 
cryptography in which keys are kept private to the content provider (column 3, lines 55- 
57). Further, Thomlinson teaches an encryption method that utilizes a user-supplied 
password and entropy to encrypt keys (column 9, lines 54-56). Thomlinson lacks a 
reference to the storing of the encrypted second key on a client machine. Shi 
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discloses a distributed file system web server that performs user authentication with 
cookies. Shi discloses a key that is stored on a client machine as a cookie (column 8, 
lines 61-63). At the time the invention was made, it would have been obvious to a 
person of ordinary skill in the art to utilize Thomlinson's described public key 
cryptography system and allow the storage of a cookie containing a cookie on a client 
machine. Using the public key system would make it unnecessary to continually 
change symmetric keys (column 3, lines 49-50), would provide a method of verifying 
senders (column 4, lines 22-26), and would make the private key known only to the 
content provider. With regards to storing the second key on a client machine, storing a 
key in the form of a cookie would make it unnecessary to have to enter a 
username/password combination each time a login is attempted (Shi, column 9, lines 
10-13). The cookie containing the key could be passed to the server upon each access 
(column 9, lines 3-4). Further, it would have been obvious to one of ordinary skill in the 
art to use Thomlinson's encryption method that utilized a password and entropy on the 
second key because if a password change was desired it would provide a simple 
method: only the second key would need to be re-encrypted (column 10, lines 17-23). 
5. With regards to claims 5, 13 and 16, Thomlinson and Shi disclose encryption 
methods as described above. Thomlinson teaches a second key termed an item key 
that is encrypted using an algorithm that requires a user-supplied password with an 
optional addition of a one-time entropy from the user application (column 9, lines 51-57 
and lines 20-29). Further, Thomlinson discloses that accessing the data involves 
decryption that requires a user provided password as input (column 10, lines 7-8). At 
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the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to apply this encryption method to the second key for reasons 
aforementioned. Further, it would have been obvious to a person of ordinary skill in the 
art to require a password to be provided in order to decrypt the data to help prevent an 
unauthorized user from accessing data by fraudulently using an authorized client 
machine. 

6. Claims 2 and 6 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Thomlinson et al US Patent No. 6,389,535 in view of Shi et al US Patent No. 5,875,296 
as applied to claims 1 and 5 above, and further in view of Danneels US Patent No. 
6,571 ,339. Thomlinson and Shi, as described above, lack a reference to the 
transmitting of the identity of the client machine for use in authenticating and controlling 
access to data. Danneels discloses the use of a processor identification number for 
authentication in which a computer provides its unique processor identification number 
across a network as a part of the authentication procedure (column 3, lines 56-60). At 
the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to utilize Danneers unique processor identification method because it 
would help provide a secure method of authentication that would prevent content from 
being distributed to unauthorized individuals (column 5, lines 34-39). 

7. . Claims 3 and 7 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Thomlinson et al US Patent No. 6,389,535 in view of Shi et al US Patent No. 5,875,296 
as applied to claims 1 and 5 above, and further in view of Buck et al US Patent No. 
6,078,866. Thomlinson and Shi, as described above, lack a reference to a one-time 
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password being a unique user identifier that is transferred out of band. Buck discloses 
a system where new users create an account and are emailed a user password (column 
6, lines 52-56). At the time the invention was made, it would have been obvious to a 
person of ordinary skill in the art to utilize Buck's method of emailing passwords 
because it would permit the prompt distribution of a password and allow a user to 
quickly begin accessing a content provider (column 7, lines 33-35). 

8. Claims 4 and 8 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Thomlinson et al US Patent No. 6,389,535 in view of Shi et al US Patent No. 5,875,296 
as applied to claims 1 and 5 above, and further in view of IBM Technical Disclosure 
NN9503245 (March 1, 1995). Thomlinson and Shi, as described above, lack a 
reference to a session key. The aforementioned IBM Technical Disclosure describes a 
session key, Ka, created using password substitution, a permanent key, and a random 
nonce (Page 1, paragraph 2). At the time the invention was made, it would have been 
obvious to a person of ordinary skill in the art to utilize session keys because the use of 
session keys helps prevent key exposure (Page 3, paragraph 1). 

9. Claims 9-11, 14, and 17 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Jablon US Patent No. 6,226,383 in view of Thomlinson et al US 
Patent No. 6,389,535. Jablon describes cryptographic methods for remote 
authentication. With regards to claims 9, 14, and 17, Jablon discloses two systems that 
exchange the keys g a and g b . The client machine provides an identifier to the content 
provider (column 1 1 , lines 1 9-22). G t A, and B are randomly generated numbers and G 
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is known to both systems (column 4, lines 55-67 and column 5, lines 1-7). B is 
generated and known only to one system and A is generated and known only to the 
other system. The value g a * b is calculated in order to find a shared key K (column 5, 
lines 5-7). Jablon then teaches a modified version of the aforementioned key exchange 
where one of the exponents, termed C, is based upon a password (column 7, lines 16- 
17). In this modified version, the client proves knowledge of the key g a * b to the server in 
order to prove that the client had knowledge of the password (column 7, lines 26-28). 
Jablon lacks a reference to the decryption of g b using the password. Thomlinson 
discloses decrypting a key using a password (column 10, lines 6-8). At the time the 
invention was made, it would have been obvious to a person of ordinary skill in the art to 
use passwords to decrypt keys to help prevent an unauthorized user from accessing 
data by fraudulently using an authorized client machine. 

10. With regards to claim 10, Jablon discloses that the client sends an identifier such 
as a name, ID, or address to the content provider. Jablon lacks a reference to requiring 
that a specific user only gain access through a specific client machine. At the time the 
invention was made, it would have been obvious to a person of ordinary skill in the art to 
require a match between a user name or ID with that of an address to provide a greater 
level of security by ensuring specific machines are only used by a trusted entity. 

1 1 . Claim 1 1 is rejected under 35 U.S.C. 103(a) as being unpatentable over Jablon 
US Patent No. 6,226,383 in view of Thomlinson et al US Patent No. 6,389,535 as 
applied to claim 9 above, and further in view of Schneier Applied Cryptography . Jablon 
and Thomlinson as described above, lack a reference to a MAC authentication 
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procedure. Schneier describes the one-way hash function termed a MAC that is used 
to verify authenticity (Page 455, Section 18.14). At the time the invention was made, it 
would have been obvious to a person of ordinary skill in the art to utilize Schneier's 
MAC authentication on g a * b to authenticate the server to the client because it provides a 
verification method that is reliant on having the same key. Both client and server 
generate the same key during the authentication procedure so the MAC authentication 
would be an easy way to check authenticity without needing security since it is a one- 
way function (Page 455, Section 18.14). 

Conclusion 

12. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

1 3. Any inquiry regarding this communication from the examiner should be directed 
to Andrew Nalven at (703) 305-8407 during the hours of 7:15 AM - 4:45 PM Monday 
through Thursday. The examiner can also be reached on alternate Fridays. 

In the event that attempts to reach the examiner are unsuccessful, the 
examiner's supervisor, Gregory Morse can be reached on (703) 308-4789. 

Any response to this action should be mailed to: 

Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 
Or faxed to: 

(703) 746 - 7239 (for formal communications intended for entry) 
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Or: 

(703) 746 - 7240 (for informal or draft communications, please label 

"PROPOSED" or "DRAFT") 
Hand-delivered responses should be brought to Crystal Park II, 2121 Crystal 
Drive, Arlington, VA 22202, Fourth Floor (Receptionist). 



Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is (703) 305- 



3900. 




MATTHEW 8M1THERS 
PRIMARY EXAMINER 



